b'National Aeronautics and\nSpace Administration\n\nOffice of Inspector General\nWashington, DC 20546-0001\n\n                                               July 22, 2008\n\n\n\n\nThe Honorable Barbara A. Mikulski\nChairman\nSubcommittee on Commerce, Justice, Science, and Related Agencies\nCommittee on Appropriations\nUnited States Senate\nWashington, D.C. 20510\n\n\nSubject: NASA\xe2\x80\x99s Compliance with Federal Export Control Laws and Risks Associated\n         with the Illegal Transfer or Theft of Sensitive Technologies\n         (Report No. IG-08-022)\n\n\nDear Chairman:\n\nThis letter is sent in compliance with Public Law 106-391, \xe2\x80\x9cNational Aeronautics and\nSpace Administration Authorization Act of 2000.\xe2\x80\x9d That law requires that the Inspector\nGeneral of NASA conduct an annual audit of NASA policies and procedures with respect\nto the export of technologies and the transfer of scientific and technical information (STI)\nto assess the extent to which NASA is carrying out its activities in compliance with\nFederal export control laws and other reporting requirements. In addition, Conference\nReport 108-401, which accompanied H.R. 2673, the \xe2\x80\x9cConsolidated Appropriations Act,\n2004,\xe2\x80\x9d directed that NASA and the NASA Inspector General work together and report\nannually on the risks associated with the illegal transfer or theft of sensitive technologies\nfrom NASA.\n\nThe NASA Office of Inspector General (OIG) continues to work closely with NASA\xe2\x80\x99s\nOffice of the Chief Information Officer (OCIO), Office of Security and Program\nProtection (OSPP), Office of General Counsel, and Office of External Relations to\nidentify and reduce the risks associated with the illegal transfer or theft of sensitive\ntechnologies and ensure compliance with Federal export control laws. We remain\ncommitted to ensuring that incidents of stolen or compromised sensitive data and\ntechnology receive immediate action and that those responsible are held accountable.\nThe Office of External Relations is continuing its initiative to reach out to NASA authors\nto ensure that NASA\xe2\x80\x99s STI is properly approved for public release before it is presented\nat conferences, in scientific journals, or otherwise disseminated. The initiative was\nlaunched, in part, as a result of our audit report IG-08-017, \xe2\x80\x9cActions Needed to Ensure\nScientific and Technical Information Is Adequately Reviewed at Goddard Space Flight\n\x0c                                                                                            2\n\n\nCenter, Johnson Space Center, Langley Research Center, and Marshall Space Flight\nCenter,\xe2\x80\x9d June 2, 2008. We also continue to work with OCIO and OSPP to address\ncounter-intelligence and counter-terrorism issues (the results of which cannot be\naddressed in this document).\n\nTo comply with the Public Law and the Conference Report requirement, NASA OIG\nconducted, is conducting, or plans to conduct the audits, investigations, and reviews\nreported herein. This letter does not provide detailed information about our findings;\nhowever, we will provide to you copies of each product, some of which are marked\nsensitive but unclassified (SBU), and will discuss any of these products with you or your\nstaff at your request.\n\nStatus of the Agency IT Security Program and OIG Assessment\nThe strength of NASA\xe2\x80\x99s information technology (IT) security program is crucial to\nprotecting the Agency against the illegal transfer or theft of sensitive technologies. In our\nannual report to the Administrator, \xe2\x80\x9cNASA\xe2\x80\x99s Most Serious Management and\nPerformance Challenges\xe2\x80\x9d (last issued November 13, 2007), we continued to report\nfindings on management, operational, and technical control weaknesses that impact the\nAgency\xe2\x80\x99s IT Security Program and threaten the confidentiality, integrity, and availability\nof NASA information and its systems. The threat is tangible in that the Agency continues\nto be a target for criminal computer intrusions. For example, we investigated a series of\nunlawful computer intrusions into NASA\xe2\x80\x99s Earth Observation System networks. The\noperational impact these intrusions have had on the Agency\xe2\x80\x99s mission\xe2\x80\x94such as the\ntemporary suspension of automated processes\xe2\x80\x94has been significant. In one case during\nfiscal year (FY) 2007, an unlawful intrusion resulted in approximately $1 million in\nAgency losses.\n\nNASA has also recognized IT security as a material weakness in its system of internal\ncontrols. Demonstrating its commitment to improving its security posture, NASA has\nreported making enterprise infrastructure improvements and progress against its IT\nsecurity corrective action plan, as well as adequately meeting the requirements of the\nFederal Information Systems Management Act (FISMA). On the basis of these reported\nimprovements, the OIG is currently evaluating NASA\xe2\x80\x99s actions taken to improve IT\nsecurity so that we may provide the Agency with an independent assessment of its\nprogress.\n\nOIG Products Issued in FY 2007 and FY 2008\nSince our last letter to Congress issued in July 2007, we have issued six products that\ndirectly or indirectly related to identifying and reporting on risks associated with the\nillegal transfer or theft of sensitive technologies. These products identified systemic\nissues related to a lack of consistent application of, or noncompliance with, established\npolicies and regulations. The inconsistent application of, and noncompliance with,\npolicies and regulations could place NASA\xe2\x80\x99s export-controlled technologies and data at\nrisk of being stolen or compromised.\n\x0c                                                                                       3\n\n\n\xe2\x80\x9cNASA\xe2\x80\x99s Reporting of Performance Measure Data for the Federal Information\nSecurity Management Act (FISMA) Needed Improvement at Four Centers and\nNASA Headquarters\xe2\x80\x9d (Report No. IG-07-023, September 6, 2007)\nSensitive But Unclassified \xe2\x80\x93 Not for Public Release\nWe reviewed selected IT systems at four NASA Centers and Headquarters to determine\nwhether NASA had satisfied FISMA performance measure reporting requirements. We\nfound that those Centers and Headquarters had not fully complied with the standards and\nguidance established by the National Institute of Standards and Technology (NIST), as\nrequired by FISMA. Of the 18 systems we reviewed, 15 systems lacked a NIST-\ncompliant certification and accreditation (C&A), 13 systems had not undergone a security\ncontrol review in the past year, and 6 systems lacked a tested contingency plan.\nAdditionally, we found that NASA\xe2\x80\x99s databases contained inaccurate data on the systems\nwe reviewed, and when we compared data from the databases with NASA\xe2\x80\x99s FISMA\nreport for the second quarter of FY 2006, we found discrepancies. As a result, we\nconcluded that NASA\xe2\x80\x99s FISMA performance measure data were unreliable indicators of\nthe overall status of the Agency\xe2\x80\x99s IT security program. We recommended that NASA\nensure compliance with NIST requirements and that NASA validate the performance\nmeasure data reported in the FISMA quarterly reports and retain documentary support for\nthe reported data. Management\xe2\x80\x99s planned and completed corrective actions were\nresponsive to our recommendations.\n\n\xe2\x80\x9cAssessment of NASA\xe2\x80\x99s Certification and Accreditation Process\xe2\x80\x9d\n(Report No. IG-07-035, September 26, 2007)\nSensitive But Unclassified \xe2\x80\x93 Not for Public Release\n\nOffice of Management and Budget (OMB) and NASA\xe2\x80\x99s OCIO requested that we\nprovide, as a part of the FY 2007 FISMA compliance review, an early assessment of\nNASA\xe2\x80\x99s C&A process for unclassified systems categorized as moderate and high-risk\nimpact. Overall, we found that OCIO\xe2\x80\x99s policies and procedures for the C&A process for\nunclassified systems were in compliance with FISMA requirements; however, the quality\nassurance function of the process could be improved. Specifically, we found inaccuracies\nand inconsistencies in C&A documentation for 11 of 13 security assessment reports we\nreviewed. Inaccurate and inconsistent information in the security assessment report\nreduces the assurance that authorizing officials have the information they need to make a\ncredible, risk-based decision about system accreditation\xe2\x80\x94e.g., whether to authorize\noperation of an information system. OCIO immediately began taking corrective actions\nto address our concerns. We recommended that OCIO provide formal notice to the\ncontractor and the contracting officer of our findings and take them into consideration\nwith regard to the contract performance metric; increase oversight of deliverables\nprovided by contractors; and formally remind system personnel of the importance of\nreviewing and verifying the accuracy of security assessment reports. NASA management\nconcurred with the recommendations and is taking appropriate action.\n\x0c                                                                                       4\n\n\n\xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2007 Report from\nthe Office of Inspector General\xe2\x80\x9d (Report No. IG-07-034, September 28, 2007)\nSensitive But Unclassified \xe2\x80\x93 Not for Public Release\n\nFISMA requires agencies to report annually on the effectiveness of the agency\xe2\x80\x99s IT\nsecurity program and requires Inspectors General to perform independent evaluations of\ntheir agency\xe2\x80\x99s information security programs and practices. We performed an annual\nindependent assessment of NASA\xe2\x80\x99s IT security posture and provided the results to OMB.\nIn a memorandum, we notified the Administrator of our plan to identify IT security as a\nmanagement and performance challenge in NASA\xe2\x80\x99s Fiscal Year 2007 Performance and\nAccountability Report. We also noted that NASA had identified its IT security program\nas a material weakness, reportable in accordance with the Federal Managers\xe2\x80\x99 Financial\nIntegrity Act, and that the IT security program should continue to be reported as a\nmaterial weakness until all security weaknesses previously identified have been\nmitigated.\n\n\xe2\x80\x9cActions Needed to Ensure Scientific and Technical Information Is Adequately\nReviewed at Goddard Space Flight Center, Johnson Space Center,\nLangley Research Center, and Marshall Space Flight Center\xe2\x80\x9d\n(Report No. IG-08-017, June 2, 2008)\nAvailable on the Internet\n\nWe conducted this audit to evaluate and test NASA\xe2\x80\x99s guidance for the review, approval,\nand release of STI. We found that although the roles and responsibilities for reviewing\nand approving STI were adequately defined and documented in NASA guidance, the\nguidance was not adequately implemented at the four Centers we reviewed. Specifically,\nwe identified 413 STI items that had been publicly released at those Centers during FYs\n2005 and 2006 without the required reviews. We recommended that\n\xe2\x80\xa2   the four Center Directors implement a plan to increase awareness of STI review\n    requirements contained in NASA guidance;\n\xe2\x80\xa2   NASA revise its STI guidance to require Center STI managers to timely notify STI\n    authors whether their STI was approved for release and prohibit STI authors from\n    publicly releasing STI before approval is received; and\n\xe2\x80\xa2   NASA revise its STI guidance to include \xe2\x80\x9ceffectiveness of the STI review process\xe2\x80\x9d as\n    one of the annual performance measures used to determine whether NASA is\n    achieving compliance with internal guidance.\n\nManagement concurred with the recommendations and their proposed actions were\nresponsive.\n\nIntra-Agency Memorandums\n\n    Sale of Export-Controlled Items (March 2008)\n\nIn March 2008, we provided the NASA Office of General Counsel three referrals\nidentifying individuals involved in the potential sale of items controlled under\n\x0c                                                                                          5\n\n\nInternational Traffic in Arms Regulations (ITAR). We recommended that cautionary\nletters be issued to those individuals explaining their obligations under ITAR and\nemphasizing the uncertainty inherent in selling defense articles and shuttle tiles in\ncyberspace. In one case, we also recommended that the Agency consider revising,\nupdating, and strengthening its protocol for excessing property by working more closely\nwith the NASA Export Control Office to devise procedures to prevent ITAR-controlled\nproperty entering the stream of commerce.\n\n   Lost and Stolen Laptop Computers (April 28, 2008)\n\nWe recommended that Agency management take action regarding recent reports of lost\nand stolen laptops and other computer equipment. Most of the reports pointed toward\nemployee negligence as a contributing factor. NASA regulations require employees to\nprotect and safeguard unclassified NASA information from unauthorized disclosure\nincluding protecting SBU information (e.g., information related to ITAR), which is often\nfound on NASA laptops. We recommended that the Agency review its current policies\non safeguarding SBU information with a view toward taking steps to raise or renew\nawareness of Agency regulations and safeguarding NASA assets from loss, theft, and\nmisuse. On May 19, 2008, NASA issued a message to all NASA civil service employees\nhighlighting employee responsibilities with respect to safeguarding equipment and\nelectronic information and referencing applicable NASA regulations related to the\nsafeguarding of Government property and electronic information.\n\nAssignments in Progress\nOur Office of Investigations is conducting several computer intrusion investigations\ninvolving NASA systems containing technical data covered by ITAR or Export\nAdministration Regulations that are potentially at risk of unlawful access. For example,\nthis work includes a multi-Agency investigation involving Romanian computer hackers.\nOne of these hackers is being prosecuted by Romanian authorities; he has also been\ncharged with conspiracy and nine counts of computer intrusion by the U.S. Attorney\xe2\x80\x99s\nOffice of the Central District of California. We are also conducting other investigations\ninvolving the potentially unlawful disclosure of sensitive information covered by ITAR\nor Export Administration Regulations. In all of these investigations, this office continues\nto work with Agency senior leadership to rectify system weaknesses that allow for\nnetwork intrusions by outsiders and unauthorized disclosures by NASA civilian and\ncontract employees.\n\nOur Office of Audits is currently conducting three assignments related to the transfer,\ncontrol, and protection of critical technology and sensitive data. The results of these\nassignments should assist the Agency and the OIG in determining the extent to which\nNASA is carrying out its activities in compliance with Federal export control laws and\nother reporting requirements.\n\x0c                                                                                             6\n\n\n\xe2\x80\x9cFederal Information Security Management Act: Fiscal Year 2008 Report from the\nOffice of Inspector General\xe2\x80\x9d (Assignment No. A-08-006-00; projected issue date,\nSeptember 2008)\nSensitive But Unclassified \xe2\x80\x93 Not for Public Release\n\nIn accordance with FISMA, Title III of the E-Government Act, we are conducting our\nannual review of the Agency\xe2\x80\x99s information security and privacy program and will report\nthe results to OMB at the end of the fiscal year. We are conducting our work at all\nNASA Centers and NASA Headquarters.\n\n\xe2\x80\x9cForeign National Access to NASA\xe2\x80\x99s Export-Controlled Technology\xe2\x80\x9d\n(Assignment No. A-08-005-00; projected issue date, December 2008)\nSensitive But Unclassified \xe2\x80\x93 Not for Public Release\n\nThe objective of this audit is to determine whether NASA has effectively controlled\ncontractors\xe2\x80\x99 and grantees\xe2\x80\x99 transfers of critical technologies and technical information to\nforeign nationals and countries of concern. We plan to conduct our audit work at\ncontractor locations.\n\n\xe2\x80\x9cAudit of NASA Personal Identity Verification (PIV) Processes\xe2\x80\x9d\n(Assignment No. A-08-009-00; projected issue date, December 2008)\nWill be available on the Internet\n\nThe audit objective is to evaluate the adequacy of NASA\xe2\x80\x99s personal identity verification\n(PIV) processes to ensure that required safeguards are in place to prevent unauthorized\naccess to Agency facilities, systems, and data. Specifically, we will evaluate the\nadequacy of NASA\xe2\x80\x99s plans for managing the transition to PIV cards that are compliant\nwith Homeland Security Presidential Directive/HSPD-12, \xe2\x80\x9cPolicy for a Common\nIdentification Standard for Federal Employees and Contractors.\xe2\x80\x9d\n\nOffice of Audits Planned Projects\nFor FY 2009, our Office of Audits is planning two assignments related to addressing\nNASA\xe2\x80\x99s compliance with export control laws and regulations and the protection of\nscientific and technical information from illegal transfer. In addition to our annual\nFISMA reporting requirements, we also plan to conduct an audit concerning the\nidentification and disposition of Space Shuttle Program export controlled property.\n\nAs NASA continues its transition from the Space Shuttle Program to the Constellation\nSystems Program, safeguarding sensitive technologies will become even more critical to\nthe safety of NASA missions and national security. As the transition unfolds, we plan to\ndirect our focus to include not only the disposition of Space Shuttle Program assets but\nalso the development of new technology, ensuring that key controls are in place to\nprovide adequate assurance that sensitive technologies of next-generation efforts are\nprotected.\n\x0c                                                                                         7\n\n\nIf you or your staff would like to meet with us to further discuss any of the issues\naddressed in this letter, please contact Ms. Evelyn Klemstine, Assistant Inspector General\nfor Auditing, at 202-358-2572.\n\nSincerely,\n\n\n  signed\n\nThomas J. Howard\nDeputy Inspector General\n\ncc:\nNASA Administrator\nDeputy Assistant Administrator, Office of Security and Program Protection\nDeputy Chief Information Officer for Information Technology Security\nDirector, Export Control and Interagency Liaison Division\n\nIdentical letter to:\nThe Honorable Richard Shelby\nRanking Member\nSubcommittee on Commerce, Justice, Science, and Related Agencies\nCommittee on Appropriations\nUnited States Senate\n\nThe Honorable Bill Nelson\nChairman\nSubcommittee on Space, Aeronautics, and Related Sciences\nCommittee on Commerce, Science, and Transportation\nUnited States Senate\n\nThe Honorable David Vitter\nRanking Member\nSubcommittee on Space, Aeronautics, and Related Sciences\nCommittee on Commerce, Science, and Transportation\nUnited States Senate\n\nThe Honorable Joseph I. Lieberman\nChairman\nCommittee on Homeland Security and Governmental Affairs\nUnited States Senate\n\nThe Honorable Susan M. Collins\nRanking Member\nCommittee on Homeland Security and Governmental Affairs\nUnited States Senate\n\x0c                                                                   8\n\n\n\nThe Honorable Alan B. Mollohan\nChairman\nSubcommittee on Commerce, Justice, Science, and Related Agencies\nCommittee on Appropriations\nHouse of Representatives\n\nThe Honorable Rodney P. Frelinghuysen\nRanking Member\nSubcommittee on Commerce, Justice, Science, and Related Agencies\nCommittee on Appropriations\nHouse of Representatives\n\nThe Honorable Henry A. Waxman\nChairman\nCommittee on Oversight and Government Reform\nHouse of Representatives\n\nThe Honorable Thomas M. Davis III\nRanking Member\nCommittee on Oversight and Government Reform\nHouse of Representatives\n\nThe Honorable Mark Udall\nChairman\nSubcommittee on Space and Aeronautics\nCommittee on Science and Technology\nHouse of Representatives\n\nThe Honorable Tom Feeney\nRanking Member\nSubcommittee on Space and Aeronautics\nCommittee on Science and Technology\nHouse of Representatives\n\x0c'